GHOST Vulnerability

jyates01 · January 28, 2015, 9:32pm

Any ETA on a patch?
http://itsecurityguru.org/security-advisory-ghost-vulnerability-linux-systems/#.VMlUuP54ojo

arosboro · January 29, 2015, 7:59pm

See http://issues.freepbx.org/browse/FREEPBX-8640 for an issue alerting the maintainers that CentOS 6.5 is affected in FreePBX 2.11

tm1000 · January 29, 2015, 9:21pm

We are working on this. However please keep in mind that this vulnerability is extremely hard to replicate. That does not mean we are down playing it, only giving a reasoning to the delayed response in Schmooze OS.

However, closer inspection reveals that this particular vulnerability, while serious, is not easy to exploit and has a very limited attack surface.

http://blog.trendmicro.com/trendlabs-security-intelligence/not-so-spooky-linux-ghost-vulnerability

Here is a list of potential targets that we investigated (they all call
gethostbyname, one way or another), but to the best of our knowledge,
the buffer overflow cannot be triggered in any of them:

apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,
nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,
pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,
vsftpd, xinetd.

GameGamer43 · January 29, 2015, 10:41pm

We have pushed a new glibc to our yum repositories for the 5.211.65 and 6.12.65 FreePBX track as well as the 10.12.65 PBXact track. You can update by simply running yum update glibc.

arosboro · January 30, 2015, 6:20am

You may have to run yum clean all prior to yum update glibc.

ddolbel · January 31, 2015, 4:18am

hi, i’m still getting the hang of this linux stuff, so sorry if this is a stupid question,

i’m trying to update my system with yum -y update and i’m getting the following errors,

can anyone help me out on how i go about fixing this issue. thank you for your time and effort in advance.

[root@freepbx ~]# yum -y update
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
Setting up Update Process
Resolving Dependencies
–> Running transaction check
—> Package glibc.x86_64 0:2.12-1.132.el6_5.4 will be updated
—> Package glibc.x86_64 0:2.12-1.149.shmz65.1.1 will be an update
—> Package glibc-common.x86_64 0:2.12-1.132.el6_5.4 will be updated
–> Processing Dependency: glibc-common = 2.12-1.132.el6_5.4 for package: glibc-2.12-1.132.el6_5.4.i686
—> Package glibc-common.x86_64 0:2.12-1.149.shmz65.1.1 will be an update
—> Package glibc-devel.x86_64 0:2.12-1.132.el6_5.4 will be updated
—> Package glibc-devel.x86_64 0:2.12-1.149.shmz65.1.1 will be an update
—> Package glibc-headers.x86_64 0:2.12-1.132.el6_5.4 will be updated
—> Package glibc-headers.x86_64 0:2.12-1.149.shmz65.1.1 will be an update
–> Finished Dependency Resolution
Error: Package: glibc-2.12-1.132.el6_5.4.i686 (@updates)
Requires: glibc-common = 2.12-1.132.el6_5.4
Removing: glibc-common-2.12-1.132.el6_5.4.x86_64 (@updates)
glibc-common = 2.12-1.132.el6_5.4
Updated By: glibc-common-2.12-1.149.shmz65.1.1.x86_64 (pbx)
glibc-common = 2.12-1.149.shmz65.1.1
Available: glibc-common-2.12-1.132.el6.x86_64 (base)
glibc-common = 2.12-1.132.el6
Available: glibc-common-2.12-1.132.el6_5.1.x86_64 (updates)
glibc-common = 2.12-1.132.el6_5.1
Available: glibc-common-2.12-1.132.el6_5.2.x86_64 (updates)
glibc-common = 2.12-1.132.el6_5.2
Available: glibc-common-2.12-1.132.el6_5.3.x86_64 (updates)
glibc-common = 2.12-1.132.el6_5.3
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest

ddolbel · January 31, 2015, 6:47am

never mind I sorted it out… thanks anyway

chrisbzc · February 3, 2015, 10:03am

I’m getting the same error when trying to update glibc. What did you do to fix it? I’ve tried yum clean all to no success.

WB3FFV · February 3, 2015, 6:13pm

Same issue here, but so far nobody seems to of offered up a way to correct this. Not sure why this happened to some installs, but not others. Still it would be nice to correct, and load the updated libs…

tonyclewis · February 3, 2015, 6:27pm

What version of the Distro are you using that this is failing on?

chrisbzc · February 4, 2015, 3:40pm

It looks like we’re on 5.211.65-16 at present. I see from your releases page that we’re a few minor versions behind. I’ll see if we can schedule in downtime to update to the latest minor version and then retry the glibc update.

WB3FFV · February 11, 2015, 5:25pm

Whoops, I didn’t see this for a bit, but if you were by chance asking me. The system in question is FreePBX Distro, that started life as a 5.x release, but is currently at 6.12.65-24 at this time. I have run all the latest distro update scripts, but of course they fail on this part of the yum updates.

I have waited days and run yum clean all multiple times, but still always the same result…